CVE-2006-3138

Description

Multiple cross-site scripting (XSS) vulnerabilities in phpMyDirectory 10.4.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PIC parameter in offers-pix.php, (2) from parameter in cp/index.php, and (3) action parameter in cp/admin_index.php.

Affected products

• accomplishtechnology / phpmydirectory10.4.5
• accomplishtechnology / phpmydirectory1.0 – 1.0
• accomplishtechnology / phpmydirectory1.0.1 – 1.0.1
• accomplishtechnology / phpmydirectory1.0.2 – 1.0.2
• accomplishtechnology / phpmydirectory1.0.3 – 1.0.3
• accomplishtechnology / phpmydirectory1.0.4 – 1.0.4
• accomplishtechnology / phpmydirectory1.0.5 – 1.0.5
• accomplishtechnology / phpmydirectory1.0.6 – 1.0.6
• accomplishtechnology / phpmydirectory1.0.7 – 1.0.7
• accomplishtechnology / phpmydirectory1.0.8 – 1.0.8
• accomplishtechnology / phpmydirectory1.0.9 – 1.0.9
• accomplishtechnology / phpmydirectory1.1.0 – 1.1.0
• accomplishtechnology / phpmydirectory1.1.1 – 1.1.1
• accomplishtechnology / phpmydirectory1.1.2 – 1.1.2
• accomplishtechnology / phpmydirectory1.1.3 – 1.1.3
• accomplishtechnology / phpmydirectory1.1.4 – 1.1.4
• accomplishtechnology / phpmydirectory1.1.5 – 1.1.5
• accomplishtechnology / phpmydirectory1.1.6 – 1.1.6
• accomplishtechnology / phpmydirectory1.1.7 – 1.1.7
• accomplishtechnology / phpmydirectory1.1.8 – 1.1.8
• accomplishtechnology / phpmydirectory1.1.9 – 1.1.9
• accomplishtechnology / phpmydirectory1.2.0 – 1.2.0
• accomplishtechnology / phpmydirectory1.2.0 – 1.2.0
• accomplishtechnology / phpmydirectory1.2.1 – 1.2.1
• accomplishtechnology / phpmydirectory1.3.0 – 1.3.0
• accomplishtechnology / phpmydirectory1.3.0 – 1.3.0
• accomplishtechnology / phpmydirectory1.3.1 – 1.3.1
• accomplishtechnology / phpmydirectory1.3.2 – 1.3.2
• accomplishtechnology / phpmydirectory1.3.3 – 1.3.3
• accomplishtechnology / phpmydirectory1.3.4 – 1.3.4
• accomplishtechnology / phpmydirectory1.3.5 – 1.3.5
• accomplishtechnology / phpmydirectory1.4.0 – 1.4.0
• accomplishtechnology / phpmydirectory1.4.1 – 1.4.1
• accomplishtechnology / phpmydirectory10.1.3 – 10.1.3
• accomplishtechnology / phpmydirectory10.4.4 – 10.4.4

References

• MISChttp://www.osvdb.org/26671
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2006/2427
• MISChttp://pridels0.blogspot.com/2006/06/phpmydirectory-xss-vuln.html
• MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/27211
• MISChttp://www.securityfocus.com/bid/18539
• MISChttp://www.osvdb.org/26669
• MISChttp://www.osvdb.org/26670
• VENDOR_ADVISORYhttp://secunia.com/advisories/20718